cosmos db, generate authentication key on client for Azure Table endpoint

Question

Cosmos DB, API Azure Tables, gives you 2 endpoints in the Overview blade

• Document Endpoint
• Azure Table Endpoint

An example of (1) is

https://myname.documents.azure.com/dbs/tempdb/colls

An example of (2) is

https://myname.table.cosmosdb.azure.com/FirstTestTable?$filter=PartitionKey%20eq%20'car'%20and%20RowKey%20eq%20'124'

You can create the authorization code for (1) on the client using the prerequest code from this Postman script: https://github.com/MicrosoftCSA/documentdb-postman-collection/blob/master/DocumentDB.postman_collection.json

Which will give you a code like this:

Authorization: type%3Dmaster%26ver%3D1.0%26sig%3DavFQkBscU...

This is useful for playing with the rest urls

For (2) the only code I could find to generate a code that works was on the server side and gives you a code like this:

Authorization: SharedKey myname:JXkSGZlcB1gX8Mjuu...

I had to get this out of Fiddler

My questions

(i) Can you generate a code for case (2) above on the client like you can for case (1)

(ii) Can you securely use Cosmos DB from the client?

Answer 1

If you go to the Azure Portal for a GA Table API account you won't see the document endpoint anymore. Instead only the Azure Table Endpoint is advertised (e.g. X.table.cosmosdb.azure.com). So we'll focus on that.

When using anything but direct mode with the .NET SDK, our existing SDKs when talking to X.table.cosmosdb.azure.com endpoint are using the SharedKey authentication scheme. There is also a SharedKeyLight scheme which should also work. Both are documented in https://learn.microsoft.com/en-us/rest/api/storageservices/authentication-for-the-azure-storage-services. Make sure you read the sections specifically on the Table Service. The thing to notice is that a SharedKey header is directly tied to the request it is associated with. So basically every request needs a unique header. This is useful for security because it means that a leaked header can only be used for a limited time to replay a specific request. It can't be used to authorize other requests. But of course that is exactly what you are trying to do.

An alternative is the SharedKeyLight header which is a bit easier to implement as it just requires a date and the a URL.

But we don't have externalized code libraries to really help with either.

But there is another solution that is much friendly to things like Fiddler or Postman, which is to use a SAS URL as defined in https://blogs.msdn.microsoft.com/windowsazurestorage/2012/06/12/introducing-table-sas-shared-access-signature-queue-sas-and-update-to-blob-sas/.

There are at least two ways to get a SAS token. One way is to generate one yourself. Here is some sample code to do that:

        var connectionString = "DefaultEndpointsProtocol=https;AccountName=tableaccount;AccountKey=X;TableEndpoint=https://tableaccount.table.cosmosdb.azure.com:443/;";
        var tableName = "ATable";

        CloudStorageAccount storageAccount = CloudStorageAccount.Parse(connectionString);
        CloudTableClient tableClient = storageAccount.CreateCloudTableClient();
        CloudTable table = tableClient.GetTableReference(tableName);
        await table.CreateIfNotExistsAsync();

        SharedAccessTablePolicy policy = new SharedAccessTablePolicy()
        {
            SharedAccessExpiryTime = DateTime.UtcNow.AddMinutes(1000),
            Permissions = SharedAccessTablePermissions.Add
            | SharedAccessTablePermissions.Query
            | SharedAccessTablePermissions.Update
            | SharedAccessTablePermissions.Delete
        };

        string sasToken = table.GetSharedAccessSignature(
            policy, null, null, null, null, null);

This returns the query portion of the URL you will need to create a SAS URL.

Another, code free way, to get a SAS URL is to go to https://azure.microsoft.com/en-us/features/storage-explorer/ and download the Azure Storage Explorer. When you start it up it will show you the "Connect to Azure Storage" dialog. In that case:

1. Select "Use a connection string or a shared access signature URI" and click next
2. Select "Use a connection string" and paste in your connection string from the Azure Portal for your Azure Cosmos DB Table API account and click Next and then click Connect in the next dialog
3. In the Explorer pane on the left look for your account under "Storage Accounts" (NOT Cosmos DB Accounts (Preview)) and then click on Tables and then right click on the specific table you want to explore. In the right click dialog you will see an entry for "Get Shared Access Signature", click on that.
4. A new dialog titled "Generate Shared Access Signature" will show up. Unfortunately so will an error dialog complaining about "NotImplemented", you can ignore that. Just click OK on the error dialog.
5. Now you can choose how to configure your SAS, I usually just take the defaults since that gives the widest access permission. Now click Create.

The result will be a dialog with both a complete URL and a query string.

So now we can take that URL (or create it ourselves using the query output from the code) and create a fiddler request:

GET https://tableaccount.table.cosmosdb.azure.com/ATable?se=2018-01-12T05%3A22%3A00Z&sp=raud&sv=2017-04-17&tn=atable&sig=X&$filter=PartitionKey%20eq%20'Foo'%20and%20RowKey%20eq%20'bar' HTTP/1.1
User-Agent: Fiddler
Host: tableaccount.table.cosmosdb.azure.com
Accept: application/json;odata=nometadata
DataServiceVersion: 3.0

To make the request more interesting I added a $filter operation. This is an OData filter that lets us explore the content. Note, btw, to make filter work both the Accept and DataServiceVersion headers are needed. But you can use the base URL (e.g. without the filter parameter) to make any of the REST API calls on a specific table.

Do be aware that the SAS token is scoped to an individual table. So higher level operations won't work with this SAS token.